Using Selenium to mess with Survey Monkey

Quick show & tell post. How to use Python, Selenium and Chromedriver to automate the completion of a Survey Monkey survey, for good or evil.

20-February-2015

- 1 minute read

So our company just ran a 'people's choice' employee of the year competition and sent out a Survey Monkey form for people to vote.

I wanted to see if I could automate the submission of the survey using Selenium browser automation in order to test whether it was theoretically possible to write a bot that would vote for a single individual. Turns out it only took 18 lines of Python.

For those familiar with Selenium this is all pretty standard stuff. The script navigates the 'Next page' buttons and then clicks a specific check box that corresponds with an answer by targeting the attribute id="linput_740142485_10_8428776065_0". Obviously you could interact with any sort of field that the survey presents, this one just happened to be checkboxes.

The reason I went with Chrome's chromedriver over Selenium Webdriver's default Firefox is because I knew that the incognito mode would allow me to circumvent the cookies which track whether you have completed the survey before. However, I suspect Firefox's 'private window' feature could do the same.

You can start Chromedriver in incognito mode by passing -incognito as an option when launching the driver.

But surely Survey Monkey protects against this?

Well yes, and no. Survey Monkey has a number of options the survey creator can choose to protect their survey from abuse.

Creators can select to distribute the survey using the Email Invitation Collector, this means each link sent out is unique to the single email it was intended for. When that survey is returned the intended email address will appear in the results against that entry. This is often used when there are specific intended recipients for the survey, but this feature is rarely used for organisation wide surveys or competition surveys on public sites.

Alternatively, creators can choose to turn on IP Tracking. This will allow them to see the public IP of the survey respondents. However this can be circumvented by either routing your automated bot through proxies. In the case of a corporate survey, any employees on the same internal network will most likely have the same public IP recorded in Survey Monkey.

The creator can only allow the respondent to complete the survey once. Survey Monkey uses cookies to track whether you have already completed the survey. Luckily we can circumvent this using incognito mode.

So my script is not bullet proof, but luckily it relies on the survey creator knowing how to configure those features within Survey Monkey and then also check them after the results have come in. I'm betting that for a standard competition or internal survey it's unlikely they would go to that level of scrutiny.